Cyber Incident Victim: Kansas Department of Commerce
Date:
Mar 2017
Location:
United States of America
Summary
Hackers exploited a coding error in a multi-state job-seeking platform managed by the Kansas Department of Commerce, compromising over 5.5 million Social Security numbers and 805,000 additional accounts lacking SSNs. The breach affected residents across ten states, with forensic analysis confirming unauthorized access to resume databases containing names, birth dates, and employment information. The agency engaged third-party firms for incident response, legal services, and credit monitoring provisions—covering one year for most victims and three years for Delaware residents due to contractual obligations. Costs included undisclosed expenses for victim call centers and credit protection services, alongside $175,000 for legal counsel and $60,000 for IT remediation. While the division asserted this was its first known breach and exceeded state-mandated response measures, privacy advocates criticized the monitoring duration as insufficient given the sensitivity of exposed data. Some affected individuals remained unaware of the compromise due to limited notification methods.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On March 12, 2017, suspicious activity was detected in a data system operated by America’s Job Link Alliance-TS (AJLA-TS), a division of the Kansas Department of Commerce. The system managed job-seeking platforms like Kansasworks.com, which hosted resumes and job listings for users across multiple states. AJLA-TS isolated the breach by March 14 and contacted the FBI on March 15. Forensic analysis by a third-party IT firm confirmed hackers exploited a coding error to access personal data, though the specific vulnerability wasn't detailed in released documents. The investigation revealed unauthorized access to 5.5 million user accounts containing Social Security numbers (SSNs) across 10 states, with over 500,000 SSNs belonging to Kansas residents. An additional 805,000 accounts without SSNs were also compromised. Kansas managed data for 16 states at the time, but only 10 were affected. AJLA-TS confirmed this was the first known breach of its databases.
The Department of Commerce contracted four companies to manage the aftermath: Epiq provided a victim call center and Equifax credit monitoring services, though contract costs were redacted as proprietary; law firm Shook, Hardy and Bacon received $175,000 for legal services through December 2017; SHI was paid approximately $60,000 for IT incident response; and Denim Group reviewed system code for improvements. Kansas offered one year of credit monitoring to victims in nine states, while Delaware residents received three years due to contractual obligations. The call center ((844) 469-3939) operated through July 2017. Exposed data included names, birth dates, and SSNs, prompting criticism from privacy advocates who argued one year of monitoring was insufficient. Agency officials did not disclose whether insurance would offset costs. Notification methods for Kansas victims weren't specified, unlike Washington State’s mailed notices following a similar breach. AJLA-TS stated its response exceeded Kansas legal requirements.